How secure is OneDrive? Microsoft’s cloud security explained

If you’re using OneDrive, you’re using Microsoft’s service to upload and share your files in their cloud. In this article, we’ll examine which data protection and security measures Microsoft implements for its cloud service.

Is OneDrive secure?

Microsoft has stated that they use end-to-end encryption with AES 256-bit standard for uploads, downloads and backups.

They also add another layer of security to OneDrive with two-factor authentication and the SSL/TLS encryption standard. Despite offering rather robust data security through good encryption, it’s not possible to completely rule out the possibility of third parties accessing your data. Microsoft does not offer zero-knowledge encryption, giving Microsoft developers and the U.S. government access to data stored in OneDrive, if required.

What is OneDrive?

With OneDrive, you can store and organise your files, documents and other types of data (e.g., contacts, notes, passwords or photos) in Microsoft’s cloud. OneDrive is available for all Windows systems, but you need a Microsoft account to use it. Anyone using Microsoft 365 automatically has access to OneDrive.

You can choose to synchronise your OneDrive files across all your devices or for selected apps and devices only. You can also create automatic backups and collaborate with others on the files by using sharing options. OneDrive has another advantage in that it comes with 5 GB of free cloud storage.

How is OneDrive encrypted?

Detailed information about Microsoft’s security measures for OneDrive can be found on Microsoft’s website. Microsoft emphasises that for additional data protection and security, end-to-end encryption using the AES-256-bit encryption standard is employed. It would take several billion years to crack an encryption like this, even with a supercomputer. AES 256-bit is an encryption method that is sufficient enough to protect your data against large-scale brute-force attacks. For additional security and encryption during data transfer between client and server, Microsoft uses the TLS encryption standard as well.

Data access rights in OneDrive

As a OneDrive user, you still have considerable power when determining who can access your OneDrive files. Similar to Google Drive, OneDrive gives you the ability to grant reading, viewing and editing rights to people. You can do this via the Share menu for each of your folders or files. Once you have selected a specific person or group of people, you can provide access to the document via a shareable link or by sending an email. You can edit or delete any of these rights at any time. This way, you always retain control over access rights and determine who can view and edit files.

Microsoft emphasises that a Zero standing access policy applies to its access rights to your data. This means that even technicians may only access your data in exceptional cases, with explicit permission and under heightened security and maintenance requirements. However, there’s an exception in place for U.S. government agencies. As an American company, Microsoft is obligated to comply with legitimate requests from U.S. authorities and grant access to OneDrive data. Since U.S. laws such as the Cloud Act and the Foreign Intelligence Surveillance Act (FISA) set low thresholds for surveillance and data sharing, there is a risk that U.S. authorities can relatively easily access your OneDrive data.

OneDrive and the Cloud Act

The Cloud Act was passed in 2018 and significantly expands the rights of U.S. authorities to monitor their citizens as well as all companies operating within its borders. U.S. companies like Microsoft are required by law to share data with governmental agencies, even if the data is located on servers abroad. In order to access such data, the U.S. government needs to have a warrant. There are some rare occasions though where a warrant or a subpoena is not required.

These new, wider-reaching surveillance rights have caused concern in Europe. In 2020, the European Court of Justice declared the EU-U.S. Privacy Shield invalid, as the U.S. no longer meets European data protection standards. Previously, the Privacy Shield ensured a secure transfer of data from the EU to the U.S. It has yet to be replaced by any new legislation. Microsoft has certified itself under the EU-US Data Privacy Framework, the successor to the Privacy Shield. However, since this is a self-certification process, it is unclear to what extent users can rely on the company’s assurances.

How secure is OneDrive against cyberattacks?

Microsoft generally provides solid and reliable security for cloud storage, similar to Google and Apple. This is especially true if you use OneDrive for personal purposes or to store non-business-critical data.

OneDrive’s security measures against cyberattacks and unauthorised access include:

• Password protection with a secure password
• Two-factor authentication
• AES 256-bit encryption
• TLS encryption
• Zero standing access
• Network protection through isolated networks and firewalls
• Mobile encryption of data with the OneDrive app
• Account recovery (using email, phone number or security question)
• Account notifications for suspicious logins
• Spam filtering for OneDrive mail and virus scanning through Microsoft Defender
• Ransomware protection (with Microsoft 365)
• Personal OneDrive vault
• Highly secure data centres
• Automatic backups
• Synchronisation of data with connected devices
• Automatically scanning updates for malware or illegal content
• End-to-end encryption for backups, uploads and downloads

Where are OneDrive servers located?

Microsoft hosts their data in data centres in the United States, Asia and the European Union. You can see where your data is hosted in the settings of Microsoft Office 365. It’s not possible to choose a specific data centre for storing your company’s data.

The European Union’s data privacy law, the GDPR sets high standards for data privacy and security. Cloud storage providers located in Germany and Switzerland are among the most secure in the world.

Is OneDrive compliant with the GDPR?

If you do business in the EU, you need to comply with the GDPR when storing and using customer data. Since OneDrive can transfer data to servers located in the U.S. without the Privacy Shield agreement as well as to servers in non-EU countries, OneDrive is not considered compliant with the GDPR. Furthermore, OneDrive terms and conditions grant Microsoft the right to use stored data, meaning GDPR-compliant data processing is not guaranteed.

According to Microsoft, the storage and processing of OneDrive data takes place in geographically distributed regions and availability zones. However, users cannot determine which specific geographic region their OneDrive servers belong to. Another grey area: Microsoft scans OneDrive uploads, such as documents and photos, for security purposes, including malware detection and illegal content filtering. However, the technical basis for these scans and what happens to the analysed data remain unclear to users. It is therefore evident that OneDrive does not comply with the GDPR unless companies implement their own protective measures.

Is OneDrive secure for business and compliance?

From a data privacy and compliance standpoint, OneDrive poses several challenges for businesses handling sensitive customer or corporate data. While Microsoft provides robust security measures, businesses using OneDrive must take additional steps to ensure compliance with US and international data protection laws. One key issue is that Microsoft is a US-based company operating global data centrs, which means user data may be transferred across international borders. This raises concerns, particularly for organisations handling data regulated by GDPR or other stringent data privacy laws.

Companies that still choose to use OneDrive must include the following details in their privacy policy:

• Why is OneDrive used for data storage?
• What legal basis justifies data storage and processing?
• Has a data processing agreement (DPA) been signed with Microsoft?
• How can users object to data collection and processing?
• Where can Microsoft’s applicable usage and privacy policies be found?

According to Article 28 of the GDPR, companies must sign a data processing agreement (DPA) with Microsoft if they store business-related data in OneDrive. This agreement must define:

• What personal data Microsoft receives
• Why data is shared with Microsoft
• How long Microsoft stores the data
• Which rights, obligations, and liability clauses apply

To use OneDrive in compliance with GDPR and corporate regulations, follow these steps:

• Obtain user consent via opt-in for essential and non-essential cookies.
• Sign a data processing agreement (DPA) with Microsoft.
• Update your privacy policy with clear information about Microsoft’s data processing practices.
• Review Microsoft’s Standard Contractual Clauses (SCCs).
• Document data transfer risks and ensure legal protection against data privacy violations.

What are some alternatives to OneDrive?

If you have concerns about Microsoft’s data privacy measures and are still wondering which cloud service is the most secure, consider comparing cloud providers to find the right one for you.

Some of the most popular cloud providers include:

• IONOS with its secure HiDrive Cloud Storage
• IBM Cloud
• Microsoft Azure

A cloud storage comparison will help you assess the available features and maximise security when looking for OneDrive alternatives.